Bug 29046 - wpa_supplicant, hostapd new security issue CVE-2021-30004
Summary: wpa_supplicant, hostapd new security issue CVE-2021-30004
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK MGA7-32...
Keywords: advisory, validated_update
Depends on:
Reported: 2021-05-30 23:11 CEST by David Walser
Modified: 2021-06-13 23:34 CEST (History)
3 users (show)

See Also:
Source RPM: wpa_supplicant-2.9-8.1.mga8.src.rpm, hostapd-2.9-5.mga8.src.rpm
CVE: CVE-2021-30004
Status comment:


David Walser 2021-05-30 23:11:23 CEST

CC: (none) => mageia
Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Patch available from upstream

Comment 1 Lewis Smith 2021-06-02 21:23:52 CEST
NicolasL has done recent CVE updates for this, so assigning the bug to you (no registered maintainer).

CC: mageia => (none)
Assignee: bugsquad => mageia

Comment 2 Nicolas Lécureuil 2021-06-05 23:59:09 CEST
fixed in cauldron mga7/8

    - mga7:
           - wpa_supplicant-2.9-1.5.mga7
           - hostapd-2.9-1.3.mga7

    - mga8:
           - wpa_supplicant-2.9-8.2.mga8
           - hostapd-2.9-5.1.mga8

Status comment: Patch available from upstream => (none)
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Assignee: mageia => qa-bugs

Comment 3 David Walser 2021-06-06 15:45:43 CEST
RPMS list:
Comment 4 Thomas Andrews 2021-06-07 13:31:34 CEST
mga8-64 Plasma on an HP Probook 6550b with Intel wifi hardware, using Network Manager.

No installation issues. Did a reboot, just to see if the network comes up normally. 

Also installed wpa_supplicant-gui for the first time, and took a look. The gui was not able to get any information about the network, presumably because it had not been configured yet. I decided against trying to configure it, as Network Manager already has that job and I didn't want to confuse things. However, I did look at the screens in the gui, and they all looked as I would expect.

As far as I went, all looks good. Will try another system using the Network Center later.

CC: (none) => andrewsfarm

Comment 5 Aurelien Oudelet 2021-06-08 21:41:57 CEST
wpa_supplicant is used by NetworkManager

MGA7 Plasma 64 with NetworkManager.
Applying updates OK.
WiFi still reachable and can connect to my AP.

MGA8 Plasma 64 with NetworkManager.
Applying updates OK.
Idem. WiFi still OK.

# systemctl status wpa_supplicant
● wpa_supplicant.service - WPA Supplicant daemon
     Loaded: loaded (/usr/lib/systemd/system/wpa_supplicant.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2021-06-08 21:32:23 CEST; 8s ago
   Main PID: 231876 (wpa_supplicant)
      Tasks: 1 (limit: 19128)
     Memory: 768.0K
        CPU: 2ms
     CGroup: /system.slice/wpa_supplicant.service
             └─231876 /usr/sbin/wpa_supplicant -u -P /run/wpa_supplicant.pid -s -c /etc/wpa_supplicant.conf

juin 08 21:32:23 mageia.local systemd[1]: Starting WPA Supplicant daemon...
juin 08 21:32:23 mageia.local wpa_supplicant[231876]: Successfully initialized wpa_supplicant
juin 08 21:32:23 mageia.local systemd[1]: Started WPA Supplicant daemon.

OK Good to go for wpa_supplicant part.

For hostapd, this is to create an Access Point from your own WiFi card.
> hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators and RADIUS authentication server. The current version supports Linux (Host AP, mac80211-based drivers) and FreeBSD (net80211).

> hostapd is designed to be a "daemon" program that runs in the background and acts as the backend component controlling authentication. hostapd supports separate frontend programs and an example text-based frontend, hostapd_cli, is included with hostapd.

Not installed by default.
A clean install on both system runs well.

Unsure how to go further on this but, plasma-applet-nm has a "Access point" creation button. This seems to share system wired connection to WiFi Device. But, it requires dnsmasq which is not installed...

Correcting mga8 srpm field.

CVE: (none) => CVE-2021-30004
CC: (none) => ouaurelien
Source RPM: wpa_supplicant-2.9-9.mga9.src.rpm, hostapd-2.9-5.mga8.src.rpm => wpa_supplicant-2.9-8.1.mga8.src.rpm, hostapd-2.9-5.mga8.src.rpm

Comment 6 Thomas Andrews 2021-06-08 22:30:36 CEST
Now I'm confused. I was going to test the mesa update with my old Dell Inspiron, so I decided to try this update with that, too. It's a 32-bit Xfce system, using our Network Center to manage connections.

The update weent well, and afterward wifi came right up at boot and is working with no problems. But, when I tried the above status command I'm told wpa_supplicant is loaded but disabled, dead. 

Is this normal?

Off to check Mageia 7 on the same hardware...
Comment 7 David Walser 2021-06-08 22:35:31 CEST
Yes, the Mageia network applet calls wpa_supplicant when it needs it, we don't use the systemd service.
Comment 8 Thomas Andrews 2021-06-08 23:36:01 CEST
Working OK in Mageia 7 32-bit, too. I don't have a clue about hostapd either, but from the description I doubt anyone would try to run it on real 32-bit hardware, anyway. So, I'm giving this an OK for mga8-64 and -32, and mga7-32. I have a 64-bit mga7 system handy that uses networkmanager, so I will give it a test on that, too (just in case)

Whiteboard: MGA7TOO => MGA7TOO MGA7-32-OK MGA8-32-OK MGA8-64-OK

Comment 9 Thomas Andrews 2021-06-09 00:21:28 CEST
Sorry Aurelien, I skipped right over the part where you had already checked mga7 as well. So, my tests confirm yours, except that in reading /usr/share/doc/hostapd/READ.ME, which admittedly is far beyond my understanding, hostapd seemed as if it does quite a bit more than you suggest. But, I did install it cleanly, and it didn't seem to hurt anything, so I'd say it's good to go. 

Adding the OK that should have been there before, and validating.

CC: (none) => sysadmin-bugs
Whiteboard: MGA7TOO MGA7-32-OK MGA8-32-OK MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK MGA7-32-OK MGA8-32-OK
Keywords: (none) => validated_update

Comment 10 Aurelien Oudelet 2021-06-12 22:10:49 CEST

Updated wpa_supplicant and hostapd packages fix a security vulnerability

The wpa_supplicant and hostapd packages are updated to fix a forging attacks that may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c. (CVE-2021-30004).

- https://bugs.mageia.org/show_bug.cgi?id=29046
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30004
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EXT3Y5NEGCCPGZ7FTYURPUBTHNNJA6MF/
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4XPNZHCXJ32COQGQ62HNGD6DHPO5E552/

Updated packages in 7/core/updates_testing:

from SRPM:

Updated packages in 8/core/updates_testing:

from SRPM:

Keywords: (none) => advisory

Comment 11 Mageia Robot 2021-06-13 23:34:48 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.